One typical way of securing a computer system is to limit the ability of an adversary to use an application in an unapproved manner. Traditionally, this is accomplished by closing unnecessary ports, limiting access to open ports, minimizing the number of installed applications, and so on. In each case, considerable manual effort is required on the part of an administrator, who is often faced with the cumbersome process. Additionally, the security of the resulting system often comes at a cost of reduced convenience to authorized users of the system. Erring on the side of caution can result in a system on which essential software may be rendered unusable. Conversely, failing to recognize and mitigate vulnerable applications can quickly result in a compromised system. Compounding the problem, existing solutions typically require that a security policy be applied to an entire system, preventing the exclusion of portions of the system from the policy, and also precluding an incremental approach.
Therefore, it would be desirable to have a better way to secure a computer system.